Last month, White House Cybersecurity Coordinator Rob Joyce announced that he would be leaving his position, a role within the White House’s National Security Council responsible for synchronizing the information security efforts of all federal agencies. The job also entailed setting policy for defensive and offensive network operations by the US military, Department of Homeland Security, and intelligence community. It’s a big job, and it’s one that Joyce had unique credentials for—he used to direct the Office of Tailored Access Operations (TAO), the National Security Agency’s main network intrusion and hacking unit.
Joyce’s departure would leave some big shoes to fill. But President Donald Trump has apparently decided that those shoes can easily be filled by NSC Director John Bolton all by himself. In an executive order yesterday, Trump eliminated the national cybersecurity coordinator position in a reorganization of the NSC, placing authority of all things cyber on Bolton and his NSC staffers.
That move has prompted concern from members of Congress, and from Democrats in particular, who have called for Trump to reverse the move.
Another brick in the firewall
“This is yet another example of the Trump Administration talking a big game on national security but taking steps that directly undermine our ability to combat emerging threats,” Rep. Ted Lieu (D-Calif.) said in a statement after news of Trump’s decision broke. “As a computer science major and Air Force veteran, I can tell you that eliminating the White House cybersecurity coordinator will endanger our economy, critical infrastructure, and possibly American lives.”
Lieu and Congressman Jim Langevin (D-R.I.)—co-founder and co-chair of the Congressional Cybersecurity Caucus—submitted a bill this morning in the House that would permanently establish a position of director of cybersecurity policy at the White House. The bill, entitled the “Executive Cyberspace Coordination Act of 2018,” would establish a National Office for Cyberspace within the Executive Office of the President, entirely separate from the National Security Council. “The decision to eliminate the top White House cyber policy role is outrageous, especially given that we’re facing more hostile threats from foreign adversaries than ever before,” said Lieu.
While the Obama administration created the role of National Cybersecurity Coordinator in 2009—naming former George W. Bush administration cyber advisor and US CERT Chief Security Strategist Howard Schmidt to the job—the Bush administration laid the groundwork for such a role after the September 11, 2001 terrorist attacks by naming Richard Clarke as special advisor to the president on cybersecurity.
Clarke’s role as the first “cyber czar” fell within the Office of Management and Budget; the “czar” job shifted to the Department of Homeland Security, with the formation of the National Cybersecurity Center and Rod Beckstrom serving as its first director. But while DHS took over oversight of cybersecurity for the civilian agencies of government, there was still no single point of guidance for coordinating policy and security operations across all the government’s networks. Beckstrom resigned from the job because of a lack of funding—and a lack of cooperation from the NSA.
That problem led to the creation of the National Cybersecurity Coordinator role—one czar to rule all the cyber—as part of the National Security Council. Schmidt and his successor, Michael Daniel, took point in the administration for developing national and international cybersecurity strategy, and they oversaw the implementation of government information security policies. Under Daniel’s watch, the Obama administration created a Cybersecurity National Action Plan (CNAP) that has provided much of the direction for agencies’ information security strategy since. President Trump’s cybersecurity executive order was largely cribbed from the CNAP.
Abort, retry, ignore
The Trump administration was initially slow to fill the role left by Daniel after he was discharged. Joyce wasn’t named to the cybersecurity coordinator position until March of 2017, and the chaos within the NSC in the first months of the administration didn’t make for much in the way of progress on policy. So the continuation of the course set by the Obama administration was welcomed by many in the information security field.
However, with NSC Director H.R. McMaster’s departure and the elevation of Bolton to that position, in addition to the departure of Joyce, that comfort appears to be evaporating—especially since Bolton, who has no particular “cyber” expertise, is now moving to guide cyber policy himself.
The NSC currently has two “senior directors” for cybersecurity policy: Joshua Steinman and Grant Schneider. Steinman, a Navy Reserve officer who left the Defense Department to work at a cyber-security firm, was brought on as a cybersecurity director for NSC in January, just days after the inauguration. Steinman had reportedly been positioning himself to fill Joyce’s job.
Schneider has significant government IT security experience—he was deputy US chief information security officer (CISO) in the Obama administration and was elevated to the role of acting CISO after Trump’s inauguration. He was added to the NSC team in August of last year to fill a “vacated senior director position,” as the White House put it, while retaining the CISO role. (Trump has yet to name a Federal CISO, and he eliminated the White House CISO role last year.)
But neither NSC cyber director has the expertise Joyce brought to the position, and they will certainly not have the same level of authority.
“We have had three excellent cybersecurity coordinators since the late Howard Schmidt originated the position,” Rep. Langevin said in a statement. “It is an enormous step backwards to deemphasize the importance of this growing domain within the White House.”
Similar concerns were voiced by representatives of the IT industry, including the Computing Technology Industry Association. CTIA Executive VP Elizabeth Hyman told NBC News, “A cohesive and comprehensive cybersecurity strategy across all agencies within the federal government can only be accomplished when there is one office specifically tasked with coordination.”
Chris Painter, a former NSC cyber policy director from the Obama administration, tweeted his concern:
“Alas poor Coordinator. I knew him Horatio.”-that’s right, it’s a tragedy. Structure isn’t everything but structure speaks to priority & ability to drive decisions & coordinate oft disparate views. Every study, commission or other review suggested higher not lower placement. https://t.co/rMOj3aTbH6
— Chris Painter (@C_Painter) May 15, 2018
Creating a White House office dedicated to cyberspace, Lieu said, would ensure that there was consistent and coordinated policy across the entire government in the face of growing threats to national security. “A coordinated effort to keep our information systems safe is paramount if we want to counter the cyber threats posed by foes like Russia, Iran and China,” he said. “To do anything less is a direct threat to national security.”
The bill authored by Lieu and Langevin, which is co-sponsored by a number of senior House Democrats (but no Republicans), would make the director of the National Office for Cyberspace a Senate-confirmed position, responsible for coordinating cybersecurity issues across the government, directing the defense of government networks in the event of an attack, and promoting civil liberties in “cyberspace.” The bill is based largely on recommendations from the Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th Presidency, (which Langevin co-chaired from 2008 to 2010) that were never implemented.